Posted by: David Harley | October 19, 2018

Apple and personal data, plus Android issues

ZDNet: Apple to US users: Here’s how you can now see what personal data we hold on you – “Apple’s privacy tools now go beyond Europe, so more now get to download the personal data it has collected….he move brings the four countries in line with Europe, where Apple began offering a simpler way to download a copy of user data in May, just before the EU’s strict GDPR privacy legislation came into effect.”

Less positively:

Security Boulevard: Inside Safari Extensions | Malware’s Golden Key to User Data – “A 2-part series looking at the technology behind macOS browser extensions and how malicious add-ons can steal passwords, banking details and other sensitive user data”

And some Google/Android issues:

  • John E. Dunn for Sophos: Is Google’s Android app unbundling good for security? – “…Google’s licensing compelled device makers to install apps such as Search and Chrome if they wanted to install … the Play Store. In July 2018, the European Commission (EC) concluded this was a ploy to give Google Search a monopoly on Android, fined the company €4.34 billion ($5.1 billion) on anti-trust grounds.”
  • The Register: Decoding the Google Titan, Titan, and Titan M – that last one is the Pixel 3’s security chip – “Chocolate Factory opens lid, just a little, on secure boot and crypto phone coprocessor”

David Harley

Posted by: David Harley | October 17, 2018

Another iOS passcode bypass bug

Hacker News: New iPhone Bug Gives Anyone Access to Your Private Photos – “A security enthusiast who discovered a passcode bypass vulnerability in Apple’s iOS 12 late last month has now dropped another passcode bypass bug that works on the latest iOS 12.0.1 that was released last week.”

See also News update: October 3rd

David Harley

Posted by: David Harley | October 13, 2018

Krebs/Sager interview on supply chain security

Further to the Bloomberg reports previously mentioned here, here’s a fascinating article from Brian Krebs, featuring an interview with Tony Sager. Not at all Apple-specific, but essential reading.

Supply Chain Security 101: An Expert’s View

“Sager said he hadn’t heard anything about Supermicro specifically, but we chatted at length about the challenges of policing the technology supply chain.”

David Harley

Posted by: David Harley | October 11, 2018

Chinese iPhone users – Apple IDs compromised

Technode: Hundreds of Chinese iPhone users are believed to have had their Apple IDs compromised – “Over 700 Chinese iPhone users have inexplicably had money deducted from their Apple ID-bound payment channels, with the highest being RMB 10,000 ($1,440), according to local media.”

David Harley

Posted by: David Harley | October 11, 2018

Another Bloomberg report, another supply-chain issue

In a story from 9th October, Bloomberg tells us of New Evidence of Hacked Supermicro Hardware Found in U.S. Telecom.

“A major U.S. telecommunications company discovered manipulated hardware from Super Micro Computer Inc. in its network and removed it in August, fresh evidence of tampering in China of critical technology components bound for the U.S., according to a security expert working for the telecom company.”

The tampering described differs from that in Bloomberg’s previous report. This one describes an ‘implant’ in a server’s Ethernet connector. The communications company has not been named, but the report is based on information from Yossi Appleboum, described as “co-chief executive officer of Sepio Systems”, who suggests that this approach to snooping has been seen in other equipment supplied by China, while Bloomberg compares it to manipulations used by the NSA.

Commentary from The Verge: Tampered Chinese Ethernet port used to hack ‘major US telecom,’ says Bloomberg report.

Whatever the truth is of this story, it seems to go far beyond Apple, so also published on the AVIEN blog.

David Harley

Older Posts »